top | item 47163973

(no title)

It seems much more a compliance and auditing goal. To meet some objective of knowing who is in the office at what time, which informs office space leasing decisions, return to office mandates, decisions of charging for staff parking, etc. Personnel protection seems almost an afterthought.

Protecting JIRA auth tokens is quite likely low down the list for IT security. Making sure your workers are not remote North Koreans is indeed a security benefit of secured physical offices with regular on-site work.

But the author did have a deeper point -- visible security theatre gets lots of money and management attention, while meaningful expert driven changes are mired in bureaucracy.

discuss

handoflixue|2 days ago

I still challenge whether his proposal was actually "meaningful, expert driven changes" - is this actually a serious threat vector? How would you actually exploit it, without having access to dozens of other vectors? Can you even meaningfully resolve that vulnerability when you have people walking in off the streets due to a lack of physical security?